openSUSE admin

Unless you are logged in with your account, the function isn't active.

Carlos, I don't see any security issue or hole here, but I thought I would ask you before I reject the ticket.

The problem is that spammers have scripted their way, using hyperkitty, to mail spam to any mail list we have. Even if the setting is "subscribers only mail list".

They still have to have a mailman account, which we can hardly block 😀

They go to https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/new, fill up their crap in the box, then hit [Send], and they are automatically subscribed on the act, possibly with a fake email.

Yep, that is how it works. The email has to be linked to their mailman account though, so no fakes.

This feature is a security hole, because it permits sending of spam.

In that case, subscribing to a list is also a security hole, because it permits the sending of spam.

If you want to call it something else instead of security, fine, but please, the feature should go.
This page should be changed to disable automatic subscription (or add a captcha), and if not possible, remove the page.

No, it is not about what to call it, the question is whether it is a genuine problem. As far as I am concerned, that option "Start a new thread" is completely superfluous, but I see no option to just disable it.

I am closing as resolved - if this "security hole" continues to be abused, feel free to reopen. Even better, maybe pursue directly with the mailman upstream project.